4

So I downloaded a PDF which is password protected. Inside the same folder there are the following apparently harmless files:

enter image description here

As you can see, they are both .txt files, right? Pretty harmless.. Actually, not: if you look closely you can see that the PDF Password file is actually a shortcut link, investigating within it, it has the following command in the shortcut:

C:\Windows\System32\cmd.exe cmd /c Credits.txt

Ok. So it's not a .txt file and it runs a command for the other apparently harmless .txt file.. which also happens not to be a .txt file, because it's contents look something like:

enter image description here

Binary data. So when you run this, a process called TaskMgr with a weird icon appears. I'm a programmer and I'm curious, what's the anatomy of this attack? What type of data can be run using CMD like this? Which programming language is in this file and how can I decompile it to see exactly what it's doing to the system?

I must admit, this one is pretty clever.

sigmaxf
  • 623
  • 7
  • 17
  • 2
    [Starting with MZ](https://en.wikipedia.org/wiki/DOS_MZ_executable) - this looks like a normal windows binary. Which then can do everything the current user can do, including collecting all data and sending them to some attacker controlled system or encrypting all files (i.e. ransomware) or [trying some unfixed local privilege escalation](https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/) to do even more harm with system user permissions. – Steffen Ullrich Sep 02 '18 at 19:08
  • 4
    File extensions are generally meaningless and easily changed. Windows tries to make them seem like an inherent property of the file, but every other OS treats them as exactly what they are - the very changeable end of the file name which is meant to, but doesn't actually, give hints about the file contents. – Conor Mancone Sep 02 '18 at 19:28
  • 3 years later and this still amuses me. A regular user would fall for this one 99 out of 100 times. – sigmaxf Feb 24 '22 at 16:52

3 Answers3

5

The other answers are basically correct, but are missing the key element:

A weird legacy behavior in cmd.exe is that when you give it a file as a command (either via the /c parameter or by just typing the file name into the interactive shell), the first thing it does is call CreateProcess on that file. CreateProcess is the Win32 API to launch a program, and it does not care about the file extension; it only cares whether or not the file is executable code and has Execute permission (which all Windows files have, by default). Only if CreateProcess fails does cmd fall back to ShellExecute, which takes an action based on the file extension and registered handler.

As the other answers noted, your ".txt" file is actually a Windows PE executable binary (basically, a renamed ".exe" file). If you ran it on your machine, there's a pretty good chance your system is now compromised by malware.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
3

You can get the following inferences:

  1. The file starts with MZ which implies this is a PE file (Read more)
  2. There is a string This program must be run under Win32.
    This is a part of MS DOS-Header. Which confirms inference 1.
    It also means that it is a 32 bit executable (x86).
  3. Let's understand C:\Windows\System32\cmd.exe cmd /c Credits.txt
    • C:\Windows\System32\cmd.exe cmd is asking to start a new instance of the Windows XP command interpreter.
    • /c means 'Carries out the command specified by string and then terminate'
      In short, it runs Credits.txt

To actually understand what exactly does it do, you need to disassemble the program and look into the assembly code using some tools like IDA Pro.

Jithin Pavithran
  • 190
  • 1
  • 1
  • 7
2

As you can see from the screenshot, credits.txt is acutally a windows binary (this program must be run under Win32)

cmd /c runs the program specified (in your case credits.txt. The file ending is apparently not relevant in this case.

Lukas
  • 3,138
  • 1
  • 15
  • 20